The password-reset paradox

James Chacon jmc at netbsd.org
Fri Feb 20 14:25:05 EST 2009


On Feb 19, 2009, at 7:36 AM, Peter Gutmann wrote:

> There are a variety of password cost-estimation surveys floating  
> around that
> put the cost of password resets at $100-200 per user per year,  
> depending on
> which survey you use (Gartner says so, it must be true).
>
> You can get OTP tokens as little as $5.  Barely anyone uses them.
>
> Can anyone explain why, if the cost of password resets is so high,  
> banks and
> the like don't want to spend $5 (plus one-off background  
> infrastructure costs
> and whatnot) on a token like this?
>
> (My guess is that the password-reset cost estimates are coming from  
> the same
> place as software and music piracy figures, but I'd still be  
> interested in any
> information anyone can provide).

I'd almost guarentee that's the reason. Buying OTP's comes out of  
direct funds right there on the spot whereas "it costs us XXX to reset  
passwords" is a nebulous stat that can likely be written however  
someone wants to read it.

Plus given most OTP's have short expirations to generate rolling  
revenue for the provider (ala SecuriID) it's not a simple cost to  
start down this path for a lot of businesses.

James

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list